Hello guys!
I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3.
I am building a PDC with LDAP support (i am attaching my config files),
I'm also using ldapsam:trusted and ldapsam:editposix.
Although I am setting the account lock after 3 failed tries in usrmgr,
and verified that the parameters are actually set in the LDAP, no
locking occurs.
I started thinking that it was my fault, since i generate my own ldif
from a small app i created that reads a Windows AD and creates/fills an
OpenLDAP with the relevant info that Linux (posix account information)
and Samba needs, just like my "own" "net vampire", just that
mine reads
a native AD and migrates to Samba, it just defaults passwords to 1-8.
cool! eh? ;)
Since everything seems to worked OK except for the account locking, i
rebuild the server from scratch using "net sam provision" and created
and extra account, joined a machine, but stills it seems account locking
is not working on samba 3.2.4.
any ideas/suggestions are welcome?
Victor Medina
**************
Some relevant steps i did to set it up
**************
smbpasswd -w 12345678
net idmap secret DEFAULT 12345678
net idmap secret alloc 12345678
rcwinbind restart
net sam provision
smbpasswd administrator
net rpc rights grant "c1.ve\administrator" SeMachineAccountPrivilege
SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator
rcsmb start && rcnmb start && rcwinbind start
***********************************
SMB.conf (global)
***********************************
[global]
workgroup = C1.VE
netbios name = PDC-EPA1
security = user
guest account = Invitado
map to guest = Bad User
enable privileges = yes
server string =
time server = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = yes
domain master = yes
os level = 65
preferred master = yes
wins support = yes
deadtime = 20
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Administrador,dc=xxxx
ldap suffix = dc=c1,c=ve,dc=xxx
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap machine suffix = ou=people
ldap delete dn = yes
ldap passwd sync = yes
ldapsam:trusted = yes
ldapsam:editposix = yes
idmap domains = DEFAULT
idmap config DEFAULT:backend = ldap
idmap config DEFAULT:readonly = no
idmap config DEFAULT:default = yes
idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx
idmap config DEFAULT:ldap_url = ldap://127.0.0.1
idmap config DEFAULT:range = 10000-100000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx
idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx
idmap alloc config:ldap_url = ldap://127.0.0.1
idmap alloc config:range = 10000-100000
printing = cups
printcap name = cups
show add printer wizard = yes
load printers = yes
create mask = 0640
directory mask = 0750
force create mode = 0640
force directory mode = 0750
preserve case = yes
short preserve case = yes
case sensitive = no
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
nt acl support = yes
***********************
slapd.conf
***********************
modulepath /usr/lib/openldap/modules
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
loglevel -1
database bdb
suffix "dc=xxx"
rootdn "cn=Administrador,dc=xxx"
rootpw "{SSHA}xxx"
directory /var/lib/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber,memberUid eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index default sub
*****************************
LDIF:
*****************************
# This file was generated on 2008-11-05 at 11:20:00
# from the ldap://172.16.152.200:389 (bound as
cn=Administrador,dc=xxxx)
# by Softerra LDAP Administrator v3
[ http://www.ldapadministrator.com ]
dn: c=ve,dc=xxxx
c: ve
objectClass: top
objectClass: country
description: Infraestructura Tecnologica - Venezuela
dn: dc=c1,c=ve,dc=xxxx
dc: c1
objectClass: dcObject
objectClass: organizationalUnit
ou: Tienda 1 / Oficina Central xxxx / Venezuela
description: xxxx / Oficina Central EPA / Venezuela
dn: ou=people,dc=c1,c=ve,dc=xxxx
objectClass: top
objectClass: organizationalUnit
ou: people
dn: ou=group,dc=c1,c=ve,dc=xxxx
objectClass: top
objectClass: organizationalUnit
ou: group
dn: ou=idmap,dc=c1,c=ve,dc=xxxx
objectClass: top
objectClass: organizationalUnit
objectClass: sambaUnixIdPool
ou: idmap
gidNumber: 10016
uidNumber: 10004
dn: sambaDomainName=C1.VE,dc=c1,c=ve,dc=xxxx
sambaDomainName: C1.VE
sambaSID: S-1-5-21-1230964018-1252349843-1944742870
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaRefuseMachinePwdChange: 0
sambaNextRid: 1002
sambaLockoutDuration: -1
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 3
sambaMinPwdLength: 5
sambaPwdHistoryLength: 5
sambaLogonToChgPwd: 0
sambaMaxPwdAge: 7776000
sambaMinPwdAge: 0
sambaForceLogoff: -1
dn: cn=domusers,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: domusers
displayName: Domain Users
gidNumber: 10000
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-513
sambaGroupType: 2
dn: cn=domadmins,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: domadmins
displayName: Domain Admins
gidNumber: 10001
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-512
sambaGroupType: 2
dn: uid=Administrator,ou=people,dc=c1,c=ve,dc=xxxx
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
uid: Administrator
cn: Administrator
displayName: Administrator
uidNumber: 10000
gidNumber: 10001
homeDirectory: /home/C1.VE/Administrator
loginShell: /bin/false
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-500
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1225815211
sambaAcctFlags: [U ]
userPassword: {SSHA}YP8U0rTihCaNlp83JlS+ZWJv4jyEFhH8
sambaProfilePath::
IA=
dn: uid=Invitado,ou=people,dc=c1,c=ve,dc=xxxx
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
uid: Invitado
cn: Invitado
displayName: Invitado
uidNumber: 10001
gidNumber: 10000
homeDirectory: /
loginShell: /bin/false
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-501
sambaAcctFlags: [DU ]
dn: sambaSID=S-1-5-32-544,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-544
sambaGroupType: 4
displayName: Administrators
gidNumber: 10002
sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-512
dn: sambaSID=S-1-5-32-545,ou=group,dc=c1,c=ve,dc=xxxx
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 10003
sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-513
dn: uid=FERRETER-PRUQ3Z$,ou=people,dc=c1,c=ve,dc=xxxx
uid: FERRETER-PRUQ3Z$
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1001
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account
objectClass: posixAccount
cn: FERRETER-PRUQ3Z$
uidNumber: 10002
gidNumber: 10000
homeDirectory: /home/C1.VE/SMB_workstations_home
loginShell: /bin/false
sambaNTPassword: B055ADEFB17BCC6E6FAC8D1AC4A74DF9
sambaPwdLastSet: 1225815330
dn: uid=test001,ou=people,dc=c1,c=ve,dc=xxxx
uid: test001
sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1002
objectClass: sambaSamAccount
objectClass: account
objectClass: posixAccount
cn: test001
uidNumber: 10003
gidNumber: 10000
homeDirectory: /home/C1.VE/test001
loginShell: /bin/false
sambaKickoffTime: 0
sambaNTPassword: AD396BEB5A4668D740B3A9ADC48655A8
sambaPasswordHistory:
B2AA5A8D71A95E53A0B4F943CDF222B2F54631924E73FE70C98B6731A1656B04000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000
sambaPwdLastSet: 1225815887
userPassword: {SSHA}nRA+2FYkZPXKBN1wri6HBcuTk2ZA6zqP
sambaProfilePath::
IA=sambaAcctFlags: [U ]
sambaBadPasswordTime: 0
sambaBadPasswordCount: 0
https://bugzilla.samba.org/show_bug.cgi?id=5825 I raised this bug a while ago experiencing what you are.Nobody seems to have done much about it. Victor Medina wrote:> Hello guys! > > I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3. > > I am building a PDC with LDAP support (i am attaching my config files), > I'm also using ldapsam:trusted and ldapsam:editposix. > > Although I am setting the account lock after 3 failed tries in usrmgr, > and verified that the parameters are actually set in the LDAP, no > locking occurs. > > I started thinking that it was my fault, since i generate my own ldif > from a small app i created that reads a Windows AD and creates/fills an > OpenLDAP with the relevant info that Linux (posix account information) > and Samba needs, just like my "own" "net vampire", just that mine reads > a native AD and migrates to Samba, it just defaults passwords to 1-8. > > cool! eh? ;) > > Since everything seems to worked OK except for the account locking, i > rebuild the server from scratch using "net sam provision" and created > and extra account, joined a machine, but stills it seems account locking > is not working on samba 3.2.4. > > any ideas/suggestions are welcome? > > Victor Medina > > > > ************** > Some relevant steps i did to set it up > ************** > > > smbpasswd -w 12345678 > net idmap secret DEFAULT 12345678 > net idmap secret alloc 12345678 > rcwinbind restart > net sam provision > smbpasswd administrator > net rpc rights grant "c1.ve\administrator" SeMachineAccountPrivilege > SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege > SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator > > rcsmb start && rcnmb start && rcwinbind start > > > > > *********************************** > SMB.conf (global) > *********************************** > > [global] > workgroup = C1.VE > netbios name = PDC-EPA1 > security = user > guest account = Invitado > map to guest = Bad User > enable privileges = yes > server string = > time server = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > domain logons = yes > domain master = yes > os level = 65 > preferred master = yes > wins support = yes > deadtime = 20 > dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd > encrypt passwords = yes > passdb backend = ldapsam:ldap://127.0.0.1 > ldap admin dn = cn=Administrador,dc=xxxx > ldap suffix = dc=c1,c=ve,dc=xxx > ldap user suffix = ou=people > ldap group suffix = ou=group > ldap machine suffix = ou=people > ldap delete dn = yes > ldap passwd sync = yes > > > ldapsam:trusted = yes > ldapsam:editposix = yes > > idmap domains = DEFAULT > idmap config DEFAULT:backend = ldap > idmap config DEFAULT:readonly = no > idmap config DEFAULT:default = yes > idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx > idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx > idmap config DEFAULT:ldap_url = ldap://127.0.0.1 > idmap config DEFAULT:range = 10000-100000 > > idmap alloc backend = ldap > idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx > idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx > idmap alloc config:ldap_url = ldap://127.0.0.1 > idmap alloc config:range = 10000-100000 > > > > > printing = cups > printcap name = cups > show add printer wizard = yes > load printers = yes > > > create mask = 0640 > directory mask = 0750 > force create mode = 0640 > force directory mode = 0750 > preserve case = yes > short preserve case = yes > case sensitive = no > mangling method = hash2 > Dos charset = 850 > Unix charset = ISO8859-1 > nt acl support = yes > > > > > > > *********************** > slapd.conf > *********************** > > modulepath /usr/lib/openldap/modules > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba3.schema > > pidfile /var/run/slapd/slapd.pid > argsfile /var/run/slapd/slapd.args > > access to dn.base="" > by * read > > access to dn.base="cn=Subschema" > by * read > > access to attrs=userPassword,userPKCS12 > by self write > by * auth > > access to attrs=shadowLastChange > by self write > by * read > > access to * > by * read > > loglevel -1 > > database bdb > suffix "dc=xxx" > rootdn "cn=Administrador,dc=xxx" > rootpw "{SSHA}xxx" > directory /var/lib/ldap/ > > checkpoint 1024 5 > cachesize 10000 > > > index objectClass,uidNumber,gidNumber,memberUid eq > index member,mail eq,pres > index cn,displayname,uid,sn,givenname sub,eq,pres > index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq > index default sub > > > > > > ***************************** > LDIF: > ***************************** > # This file was generated on 2008-11-05 at 11:20:00 > # from the ldap://172.16.152.200:389 (bound as > cn=Administrador,dc=xxxx) > # by Softerra LDAP Administrator v3 > [ http://www.ldapadministrator.com ] > dn: c=ve,dc=xxxx > c: ve > objectClass: top > objectClass: country > description: Infraestructura Tecnologica - Venezuela > > dn: dc=c1,c=ve,dc=xxxx > dc: c1 > objectClass: dcObject > objectClass: organizationalUnit > ou: Tienda 1 / Oficina Central xxxx / Venezuela > description: xxxx / Oficina Central EPA / Venezuela > > dn: ou=people,dc=c1,c=ve,dc=xxxx > objectClass: top > objectClass: organizationalUnit > ou: people > > dn: ou=group,dc=c1,c=ve,dc=xxxx > objectClass: top > objectClass: organizationalUnit > ou: group > > dn: ou=idmap,dc=c1,c=ve,dc=xxxx > objectClass: top > objectClass: organizationalUnit > objectClass: sambaUnixIdPool > ou: idmap > gidNumber: 10016 > uidNumber: 10004 > > dn: sambaDomainName=C1.VE,dc=c1,c=ve,dc=xxxx > sambaDomainName: C1.VE > sambaSID: S-1-5-21-1230964018-1252349843-1944742870 > sambaAlgorithmicRidBase: 1000 > objectClass: sambaDomain > sambaNextUserRid: 1000 > sambaRefuseMachinePwdChange: 0 > sambaNextRid: 1002 > sambaLockoutDuration: -1 > sambaLockoutObservationWindow: 30 > sambaLockoutThreshold: 3 > sambaMinPwdLength: 5 > sambaPwdHistoryLength: 5 > sambaLogonToChgPwd: 0 > sambaMaxPwdAge: 7776000 > sambaMinPwdAge: 0 > sambaForceLogoff: -1 > > dn: cn=domusers,ou=group,dc=c1,c=ve,dc=xxxx > objectClass: posixGroup > objectClass: sambaGroupMapping > cn: domusers > displayName: Domain Users > gidNumber: 10000 > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-513 > sambaGroupType: 2 > > dn: cn=domadmins,ou=group,dc=c1,c=ve,dc=xxxx > objectClass: posixGroup > objectClass: sambaGroupMapping > cn: domadmins > displayName: Domain Admins > gidNumber: 10001 > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-512 > sambaGroupType: 2 > > dn: uid=Administrator,ou=people,dc=c1,c=ve,dc=xxxx > objectClass: account > objectClass: posixAccount > objectClass: sambaSamAccount > uid: Administrator > cn: Administrator > displayName: Administrator > uidNumber: 10000 > gidNumber: 10001 > homeDirectory: /home/C1.VE/Administrator > loginShell: /bin/false > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-500 > sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52 > sambaPasswordHistory: > 0000000000000000000000000000000000000000000000000000000000000000 > sambaPwdLastSet: 1225815211 > sambaAcctFlags: [U ] > userPassword: {SSHA}YP8U0rTihCaNlp83JlS+ZWJv4jyEFhH8 > sambaProfilePath:: > IA=> > dn: uid=Invitado,ou=people,dc=c1,c=ve,dc=xxxx > objectClass: account > objectClass: posixAccount > objectClass: sambaSamAccount > uid: Invitado > cn: Invitado > displayName: Invitado > uidNumber: 10001 > gidNumber: 10000 > homeDirectory: / > loginShell: /bin/false > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-501 > sambaAcctFlags: [DU ] > > dn: sambaSID=S-1-5-32-544,ou=group,dc=c1,c=ve,dc=xxxx > objectClass: sambaSidEntry > objectClass: sambaGroupMapping > sambaSID: S-1-5-32-544 > sambaGroupType: 4 > displayName: Administrators > gidNumber: 10002 > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-512 > > dn: sambaSID=S-1-5-32-545,ou=group,dc=c1,c=ve,dc=xxxx > objectClass: sambaSidEntry > objectClass: sambaGroupMapping > sambaSID: S-1-5-32-545 > sambaGroupType: 4 > displayName: Users > gidNumber: 10003 > sambaSIDList: S-1-5-21-1230964018-1252349843-1944742870-513 > > dn: uid=FERRETER-PRUQ3Z$,ou=people,dc=c1,c=ve,dc=xxxx > uid: FERRETER-PRUQ3Z$ > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1001 > sambaAcctFlags: [W ] > objectClass: sambaSamAccount > objectClass: account > objectClass: posixAccount > cn: FERRETER-PRUQ3Z$ > uidNumber: 10002 > gidNumber: 10000 > homeDirectory: /home/C1.VE/SMB_workstations_home > loginShell: /bin/false > sambaNTPassword: B055ADEFB17BCC6E6FAC8D1AC4A74DF9 > sambaPwdLastSet: 1225815330 > > dn: uid=test001,ou=people,dc=c1,c=ve,dc=xxxx > uid: test001 > sambaSID: S-1-5-21-1230964018-1252349843-1944742870-1002 > objectClass: sambaSamAccount > objectClass: account > objectClass: posixAccount > cn: test001 > uidNumber: 10003 > gidNumber: 10000 > homeDirectory: /home/C1.VE/test001 > loginShell: /bin/false > sambaKickoffTime: 0 > sambaNTPassword: AD396BEB5A4668D740B3A9ADC48655A8 > sambaPasswordHistory: > B2AA5A8D71A95E53A0B4F943CDF222B2F54631924E73FE70C98B6731A1656B04000000000000 > > 0000000000000000000000000000000000000000000000000000000000000000000000000000 > > 0000000000000000000000000000000000000000000000000000000000000000000000000000 > > 0000000000000000000000000000000000000000000000000000000000000000000000000000 > 0000000000000000 > sambaPwdLastSet: 1225815887 > userPassword: {SSHA}nRA+2FYkZPXKBN1wri6HBcuTk2ZA6zqP > sambaProfilePath:: > IA=> sambaAcctFlags: [U ] > sambaBadPasswordTime: 0 > sambaBadPasswordCount: 0 > > > > >